EU AI Act audit-readiness checklist.

How to use this checklist

Tick what you have. Flag what you don't.

Walk the five sections in order. The article reference under each question is the regulatory hook — what an auditor would cite when asking for the underlying evidence. The aim is honest visibility into where your audit-readiness sits today, not a certification of compliance. This checklist is a working tool, not legal advice.

1. Scope, risk classification, and role ownership

Scope, risk classification, and role ownership

Find the systems, actors, and regulatory buckets before the evidence review begins.

• Have you inventoried every AI system placed on the EU market, put into service in the EU, or used by EU-facing teams, including embedded AI components and third-party tools?

  EU AI Act · Arts. 2, 3

• For each system, have you documented the intended purpose, user groups, affected persons, geography, data inputs, outputs, and decision context?

  EU AI Act · Art. 3; Art. 6; Annex III

• Have you screened each system against the prohibited practices list, including social scoring, manipulative or exploitative uses, banned biometric or emotion uses, and prohibited scraping use cases?

  EU AI Act · Art. 5

• Have you classified each system as prohibited, high-risk, transparency-risk, GPAI, or minimal/no risk, with a dated rationale and approver?

  EU AI Act · Art. 5; Art. 6; Art. 50; Art. 53

• If an Annex III system is treated as not high-risk, have you documented the Article 6(3) exception rationale before release and kept it available for authorities?

  EU AI Act · Art. 6(3)-(4)

• Have you assigned provider, deployer, importer, distributor, product manufacturer, and value-chain responsibilities for each system?

  EU AI Act · Arts. 16, 23, 24, 25, 26

• Have staff and contractors who operate, supervise, procure, or govern AI received role-appropriate AI literacy training?

  EU AI Act · Art. 4

• Have legacy systems and systems already in use been reviewed for significant changes, new purposes, or changes in operator role?

  EU AI Act · Art. 25; Art. 111

2. High-risk provider evidence pack

High-risk provider evidence pack

For high-risk AI systems where your organisation is the provider or has provider-like responsibilities.

• Is there a documented, maintained risk management system for each high-risk AI system across design, development, deployment, and post-market use?

  EU AI Act · Art. 9

• Does risk analysis cover known and reasonably foreseeable risks to health, safety, and fundamental rights for intended use and reasonably foreseeable misuse?

  EU AI Act · Art. 9(2)

• Are residual risks and overall residual risk acceptance criteria documented and signed off before release?

  EU AI Act · Art. 9(5)

• Are testing procedures, metrics, probabilistic thresholds, and pass/fail criteria defined before release and repeated when material changes occur?

  EU AI Act · Art. 9(6)-(8); Art. 15

• Does the risk file explicitly consider impacts on persons under 18 and other vulnerable groups where relevant?

  EU AI Act · Art. 9(9)

• Are training, validation, and testing data sources, collection purposes, provenance, labelling, cleaning, updating, enrichment, and aggregation documented?

  EU AI Act · Art. 10(2)

• Have datasets been checked for relevance, representativeness, statistical properties, errors, completeness, and suitability for the intended purpose?

  EU AI Act · Art. 10(3)-(4)

• Is bias detection and mitigation documented, including data gaps, shortcomings, monitoring methods, and corrective actions?

  EU AI Act · Art. 10(2)(f)-(h)

• Before processing special-category personal data for bias detection, have synthetic or anonymised alternatives been assessed and documented?

  EU AI Act · Art. 10(5)(a)

• Is technical documentation complete, current, and mapped to Annex IV before the system is placed on the market or put into service?

  EU AI Act · Art. 11; Annex IV

• Can the system automatically record logs needed for traceability, post-market monitoring, and deployer monitoring?

  EU AI Act · Art. 12

• Do instructions for use clearly state intended purpose, limitations, performance, known risks, input requirements, human oversight, maintenance, and logging?

  EU AI Act · Art. 13

• Are human oversight measures built into the system or deployer controls, with clear authority to monitor, interpret, override, stop, or disregard outputs?

  EU AI Act · Art. 14

• Are accuracy, robustness, cybersecurity metrics, benchmarks, and limitations declared and supported by validation evidence?

  EU AI Act · Art. 15

• Have AI-specific cybersecurity threats been tested, including data poisoning, model poisoning, adversarial examples, model evasion, and confidentiality attacks?

  EU AI Act · Art. 15(5)

• Does the quality management system cover regulatory strategy, design control, development, test/validation, data management, risk management, post-market monitoring, incident reporting, authority communications, documentation control, resources, and accountability?

  EU AI Act · Art. 17

• Are required provider records, technical documentation, conformity evidence, and automatically generated logs retained under a documented retention schedule?

  EU AI Act · Arts. 16, 18, 19

• Is there a documented corrective-action and authority-cooperation process for non-compliance, risk, complaints, incidents, withdrawals, or recalls?

  EU AI Act · Arts. 20, 21, 79, 83

3. Deployer controls and operational readiness

Deployer controls and operational readiness

For teams that operate, supervise, procure, or rely on high-risk AI systems.

• Do deployers use each high-risk system only in accordance with the provider's instructions for use and approved internal procedures?

  EU AI Act · Art. 26(1)

• Are human oversight personnel competent, trained, authorised, supported, and named for each deployed high-risk system?

  EU AI Act · Art. 14; Art. 26(2)

• Where the deployer controls input data, is there a process to ensure inputs are relevant and sufficiently representative for the intended purpose?

  EU AI Act · Art. 26(4)

• Do deployers monitor operation using the instructions for use and escalate risks or serious incidents to providers, distributors, importers, and authorities as required?

  EU AI Act · Art. 26(5); Art. 72; Art. 73

• Are deployer-controlled logs retained for an appropriate period and at least six months unless another law requires otherwise?

  EU AI Act · Art. 26(6)

• For workplace use, have workers' representatives and affected workers been informed before use?

  EU AI Act · Art. 26(7)

• When individuals are subject to high-risk AI-assisted decisions, is notification handled where Article 26 requires it?

  EU AI Act · Art. 26(11)

• Have deployers determined whether a fundamental rights impact assessment is required before first use?

  EU AI Act · Art. 27(1)

• Does the FRIA document process context, intended use, frequency, affected groups, specific harms, oversight, mitigation, governance, and complaint mechanisms?

  EU AI Act · Art. 27(1)

• Where a DPIA already exists, has the FRIA been aligned with it without treating the DPIA as a substitute for all Article 27 elements?

  EU AI Act · Art. 27(4)

4. Conformity, registration, monitoring, and incident response

Conformity, registration, monitoring, and incident response

Test whether market-access and post-market controls are ready for authority review.

• Has the required conformity assessment route been selected and completed before market placement or putting into service?

  EU AI Act · Art. 43

• Is the EU declaration of conformity drafted, versioned, signed, and connected to the relevant technical documentation?

  EU AI Act · Art. 47

• Where required, is CE marking applied to the system, packaging, or accompanying documentation in the approved manner?

  EU AI Act · Art. 48

• Are EU database registration duties identified and completed for high-risk systems and Article 6(4) non-high-risk assessments where required?

  EU AI Act · Art. 49; Art. 71

• Is the post-market monitoring plan part of the technical documentation and aligned with deployer feedback channels and production telemetry?

  EU AI Act · Art. 72

• Does post-market monitoring actively and systematically collect, document, and analyse performance and compliance data throughout the system lifetime?

  EU AI Act · Art. 72(2)

• Is there a serious incident reporting playbook with owners, triage criteria, evidence preservation, timeline tracking, and authority contact details?

  EU AI Act · Art. 73

• Are thresholds for immediate, two-day, ten-day, and fifteen-day reporting scenarios understood by product, security, legal, and operations teams?

  EU AI Act · Art. 73(2)-(4)

5. Transparency, GPAI, and CertifiedData evidence layer

Transparency, GPAI, and CertifiedData evidence layer

Customer-facing systems, generated content, GPAI dependencies, and audit evidence integrity.

• For AI systems that interact with people, generate content, detect emotions, categorise biometric data, or create deepfakes, are Article 50 disclosures clear, accessible, and delivered at the right time?

  EU AI Act · Art. 50

• For synthetic audio, image, video, or text outputs, is machine-readable marking and detection implemented where the provider obligation applies?

  EU AI Act · Art. 50(2)

• If your organisation provides or substantially modifies a general-purpose AI model, are model technical documentation, downstream-provider information, copyright policy, and public training-content summary maintained?

  EU AI Act · Art. 53

• For GPAI models with systemic risk, are model evaluations, adversarial testing, systemic risk assessments, incident reporting, and cybersecurity controls documented?

  EU AI Act · Art. 55

• Are dataset, training-data, model, and output artifacts fingerprinted, versioned, and linked to evidence records that can be reproduced during audit?

  EU AI Act · Arts. 11, 12, 17, 72

• For synthetic datasets or AI artifacts used in compliance evidence, can you verify provenance by hashing the artifact and checking the signed certification record?

  EU AI Act · Evidence support for Arts. 10-12, 17, 72

This checklist supports EU AI Act-aligned audit-readiness. It does not constitute legal advice or guarantee compliance with any regulation. Consult qualified counsel for legal determinations.